LoFP / legitimate node.js or undici-based automation, health checks, or internal services that use the microsoft authentication broker or the same first-party application ids against graph or exchange may match. developers using axios or undici with delegated flows can also resemble this pattern.

Techniques

• T1539
• T1566

Sample rules

Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)

• source: elastic
• technicques:
  • T1539
  • T1566

Description

Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity: the Microsoft Authentication Broker requesting tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticating to itself, combined with Node.js-style user agents (node, axios, undici). Tycoon 2FA bypasses MFA by relaying authentication and capturing session material, often targeting Microsoft 365 and Gmail. Baseline legitimate automation and developer tooling before tuning.

Detection logic

data_stream.dataset:"azure.signinlogs" and event.category:"authentication" and
event.action:"Sign-in activity" and
(
    (
        azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
        azure.signinlogs.properties.resource_id:(
            "00000002-0000-0ff1-ce00-000000000000" or "00000003-0000-0000-c000-000000000000"
        )
    ) or
    (
        azure.signinlogs.properties.app_id:"4765445b-32c6-49b0-83e6-1d93765276ca" and
        azure.signinlogs.properties.resource_id:"4765445b-32c6-49b0-83e6-1d93765276ca"
    )
) and user_agent.original:(node or axios* or undici)

M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)

• source: elastic
• technicques:
  • T1539
  • T1566

Description

Detects Microsoft 365 audit “UserLoggedIn” events consistent with Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity: the Microsoft Authentication Broker requesting access where the object identifier matches Microsoft Graph or Exchange Online, or the Office web client application authenticating to itself, combined with Node.js-style user agents (node, axios, undici). Tycoon 2FA bypasses MFA by relaying authentication and capturing session material, often targeting Microsoft 365 and Gmail. Baseline legitimate automation and developer tooling before tuning.

Detection logic

data_stream.dataset:"o365.audit" and event.category:"authentication" and event.action:"UserLoggedIn" and
(
    (
        o365.audit.ApplicationId:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
        o365.audit.ObjectId:(
            "00000002-0000-0ff1-ce00-000000000000" or "00000003-0000-0000-c000-000000000000"
        )
    ) or
    (
        o365.audit.ApplicationId:"4765445b-32c6-49b0-83e6-1d93765276ca" and
        o365.audit.ObjectId:"4765445b-32c6-49b0-83e6-1d93765276ca"
    )
) and user_agent.original:(node or axios* or undici)